Links

Classifications

G—PHYSICS

G06—COMPUTING; CALCULATING; COUNTING

G06F—ELECTRIC DIGITAL DATA PROCESSING

G06F8/00—Arrangements for software engineering

G06F8/30—Creation or generation of source code

Abstract

Programming and development infrastructure for an antonomic element is provided.The system includes a control plane (ISAC), a host server, a management console, and a module development environment. The ISAC contains an Automic Controller Engine (ACE) and management module(s). The module is comprised of a set of scenarios. The ISAC is embedded in a control plane.

Description

Programming And Development Infrastructure For An Autonomic Element FIELD OF INVENTION[0001 ] The present invention relates to programming and development infrastructure, and more particularly to programming and development infrastructure for an autonomic element. BACKGROUND OF THE INVENTION

[0002] The total cost of ownership of servers continues to rise despite improvements in hardware and software. Effective manageability remains a problem for a number of reasons. First, the management infrastructure deployed in the enterprise relies on t o traditional client-server architectures. Second, the high levels of human interaction result in reduced availability while servers wait for operators to diagnose and fix problems. Finally, the deployed management solutions are in-band, with software agents operating on servers communicating with centralized management platforms.This implies that server management is only possible when the operating system is t s functioning, which is often not the case when management is required. Clearly, change is necessary.

[0003] Delegation of responsibility is widely acknowledged as a way of getting things done in an industrial setting. Providing workers with the authority to make decisions speeds things up, making an enterprise more efficient. Translating this observation to 2o the server management problem, the solution is clear; empower management software to make decisions regarding change or reconfiguration. Empowering software to make decisions leads to a number of desirable software characteristics.

[0004] First, the software must be capable of autonomous decision making. In other words, the software should be an intelligent agent. This implies that the software 2s should separate its understanding (or knowledge) of what is to be managed from the ways in which problems are diagnosed. Second, the intelligent agent cannot be part of the managed system in terms of the resources that it consumes; e.g. CPU and disk.This requires some explanation. Imagine a scenario where a run-away process is consuming almost all of the CPU. It is difficult to see how an agent would be able to 3o control a server in these circumstances. Consider another scenario in which critically-low levels of disk space are detected. An agent sharing resources on the host would be unable to save information potentially critically important to the resolution of the problem. Finally, consider the scenario in which the operating system is hung; the agent can no longer communicate with external parties.

[0005] The scenarios described above lead to the inevitable conclusion that the agents tasked with delegated system management should reside on a separate control plane;that is a platform with separate computing and disk resources. Furthermore, the design of the computing platform should support the principles of Autonomic Computing, an area of computing recently proposed by IBM.to [0006] Autonomic Computing is a relatively recent field of study that focuses on the ability of computers to self manage [Ref.l]. Autonomic Computing is promoted as the means by which greater dependency [Ref.2] will be achieved in systems. This incorporates self diagnosis, self healing, self configuration and other independent behaviors, both reactive and proactive. Ideally, a system will adapt and learn normal 1s levels of resource usage and predict likely points of failure in the system. Certain benefits of computers that are capable of adapting to their usage environments and recovering from failures without human interaction are relatively obvious; specifically the total cost of ownership of a device is reduced and levels of system availability are increased. Repetitive work performed by human administrators is reduced, 2o knowledge of the system's performance over time is retained (assuming that the machine records or publishes information about the problems it detects and the solutions it applies), and events of significance are detected and handled with more consistency and speed than a human could likely provide.[0007] Agent Building and Learning Environment (ABLE) can be used to create 25 autonomic managers in Autonomic Computing. However, a methodology and process for the creation has not been established. Further, no programming environment has been built to embody the full software lifecycle.[0008] Environments for the general development and distribution of software have been built to dynamically upgrade software. However, there have been no programming and development infrastructure for an autonomic element, which applies specifically to the system management domain. SUMMARY OF THE INVENTION[0009] It is an object of the invention to provide a method and system that obviates or mitigates at least one of the disadvantages of existing systems.[0010] It is an object of the invention to provide an improved Programming And Development Infrastructure For An Autonomic Element.[0011 ] According to an aspect of the present invention there is provided a system and method for programming an autonomic element, which includes amodule 1 o development environment (MDE) module for creating and editing a management module, the autonomic element including an intelligent secure autonomic controller (ISAC) learning a behavior through the management module; and a management distribution environment (MDE) module for distributing the management module to the ISAC.15 [0012] According to a further aspect of the present invention there is provided a single board computer for programming an autonomic element.[0013] According to a further aspect of the present invention there is provided a system and method for distribution of software updates for an autonomic manager.[0014] According to a further aspect of the present invention there is provided a 2o system and method for configuration of an autonomic manager based upon managed element configuration.[0015] This summary of the invention does not necessarily describe all features of the invention. BRIEF DESCRIPTION OF THE DRAWINGS25 [0016] These and other features of the invention will become more apparent from the following description in which reference is made to the appended drawings wherein:

[0017] Figure 1 is a diagram showing an example of an autonomic element to which programming and development infrastructure in accordance with the present invention is suitably applied;[0018] Figure 2 is diagram showing an alternative architecture of Figure 1 for the server environment;[0019] Figure 3 is a view of the ISAC of Figure 2;[0020] Figure 4 is a diagram showing an application framework for management of an application:[0021] Figure 5 is a diagram showing a Common Information Model Object Manager t o (CIMOM);[0022] Figure 6 is a diagram showing the module archive structure of a management module;[0023] Figure 7 is a diagram showing a scenario related to the ISAC of Figure 2;[0024] Figure 8 is a diagram showing an exemplary operation for normal CPUmonitoring;[0025] Figure 9 is a diagram showing an exemplary operation for high CPUmonitoring;[0026] Figure 10 is a diagram showing a group management;[0027] Figure 11 is a diagram showing networks of autonomic elements; and [0028] Figure 12 is a diagram showing the ISAC having event consumer and event generator and a host.

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS:[0029] 1. A Control Plane for Servers [0030] Figure 1 illustrates an example of an autonomic element to which programming and development infrastructure in accordance with the present invention is suitably applied.[0031] An autonomic element 1 of Figure 1 clearly separates management from managed element function, providing sensor (S) and effector (E) interfaces for management. It should minimally impact the functions of the managed element 4.While not explicitly shown in Figure 1, there is an implicitrequirement that the t o managed element should not be able to dominate, override or impede management activity. For example, if the managed element 4 and autonomic manager 2 share the same processor or memory address space this cannot be guaranteed owing to the management of these shared resources by a shared operating system. True autonomy requires a control plane, which has long been the view in the telecommunications ~ s domain.[0032] Figure 2 illustrates an alternative architecture specifically for the server environment. While it applies to servers, the architecture generalizes to other devices with a bus architecture. Figure 2 shows that an autonomic manager (2 of Figure 1) is instantiated using a hardware and software platform that communicates with the 2o managed element (the server; 4 of Figure 1) using an independent management bus 44. A PCI bus is used. However, IPMB may be added.[0033] The responsibilities of the autonomic manager (2) are rea~time management of the host hardware, operating system and hosted applications. The autonomic manager (2) runs customizable, policy-based, server/OS/application management 25 software thereby automating IT service management. It performs preventative maintenance tasks, detection, isolation, notification and recovery of host events~faults and records root cause forensics and other operating data of user interest.

n n n [0034] In Figure 2, "ISAC" represents "Intelligent Secure Autonomic Controller". The ISAC 20 is embedded in a control plane 21. The ISAC 20 includes Autonomic Controller Engine (ACE) 22.[0035] The system of Figure 2 is applicable to the server system disclosed in s Canadian Patent Application No. 02475387, which is incorporated herein by reference.[0036] Figure 3 illustrates a view of the ISAC 20 of Figure 2. The ISAC 20 of Figure 3 is a PCI-X card-based system that plugs into an available slot on the server.[0037] The ISAC 20 provides for separation of concerns such as: Fail-safe isolation and recovery of faults ~ Minimize host resource impacts ~ Containment of change management risks ~ Reduced reliance on the network [0038] It also provides host-independent security such as:t 5 ~ Independent policy enforcement ~ Delineation of administration roles ~ Tamper-proof "black box" and audit trail ~ Data persistence [0039] The ISAC 20 provides traditional "lights out" card functionality that allows for 2o remote management, such as remote display of host video, keyboard and mouse redirection over the card's network interface card and virtual devices for remote booting; e.g. virtual floppy and CD. These functions relate primarily to management involving human intervention. For details on remote management card design and function, the reader should consult [Ref. 3], [Ref. 4] or [Ref. 5]. The ISAC card 20 has full control of power management functionality and can, through software, cause full power down, power recycling and reset of the server.[0040] Referring to Figure 2, there are several architectural components in the design.On the host server 30, two software components reside: the PCI driver 32 and the host service 34. On the ISAC card 20, there are several components: operating system, PCI driver, ACE 22 and management modules 24.[0041] Referring to Figures 1-2, the host service 34 provides sensor (S) and effector (E) implementations. The lines between the sensor (S) and effector (E) and the autonomic manager 2 are provided by the PCI drivers on the host 30 and ISAC card 20. The knowledge 14 of Figure 1 is provided by the Management Modules 24 of Figure 2. The Monitor 6, Analyze 8, Plan 10 and Execute 12 functionality is provided by the ACE 22. It is reasonable to describe the design of the ISAC card 20 embedded in the host server 30 as an autonomic element.[0042] Other software components of Figure 2 include the Management Console 40 t s and Module Development Environment (MDE) 42. The responsibilities of these two components are ISAC group management and module creationlediting respectively.[0043] The MDE 42 is used to create and edit management modules. A management module is the unit of deployment of management expertise in the Symbium solution.As such, it consists of policies that assist in managing the server and its applications 2o along with utilities to support those policies. Management modules are deployed to one or more ISACs via the SMC. One or more management modules can be deployed to an ISAC. The Module Development Environment and a module distribution environment are used to download the management modules to the ISAC. The module distribution environment is contained within a Symbium Management Console. The 2s Module Development Environment creates the modules- called module archives --for distribution. The module archives are customized by the Symbium Management Console and send to groups of ISACs. The ACE receives and unbundles the archives.An autonomic manager (as instantiated using the ISAC and ACE) can be configured using the Symbium Management Console. Self configuring elements are included as part of each module archive. These software elements run automatically when the module archive is unbundled and loaded into a running ACE.[0044] 1.1 Principles of Design [0045] The design principles for the hardware and software in the ISAC system are described.[0046] Referring to Figure 2, the ISAC card 20 has full control over the server and can operate with complete autonomy, if required. The card 20, through software, is capable of recycling the server power if necessary and can dynamically change the order of boot devices if necessary in order to boot from a known image.t o [0047] The ISAC card 20 does not depend upon the host for power but can use power from the PCI bus if present. As can be seen from Figure 2, batteries are provided. However, the card 20 can also be driven from a wall outlet.[0048] The ISAC card 20 can recycle itself without affecting the host, this being required when certain upgrades occur. Related to this, important state information can t 5 be stored on the ISAC card 20; non-volatile memory 26 is provided for this purpose.[0049] Concerning software design, the system is designed to be hot-swappable [Ref.7], [Ref. 8], [Ref. 9]; that is, software elements can be upgraded as new functionality becomes available or bugs are fixed. Software hot swapping may be an important characteristic for autonomic systems [Ref.lO]. The main control principle 2o in our design is derived from Recovery Oriented Computing (ROC) [Ref. 6]; that is, the minimal part of the system will be reset (also referred to as microrebooting) when a hung or fault state is detected [Ref.l l], [Ref.l2]. ROC has been shown to improve availability [Ref. 13] by focusing on mean time to recovery or repair (MTTR) while allowing for faulty software at all levels of the software stack.25 [0050] The design of the various autonomic element software components is described.[0051] 1.2 The Host PCI Driver (32 of Figure 2) _g_ [0052] Referring to Figure 2, the Host PCI Driver 32 is the communications conduit through which all data is passed. The conduit supports multiple channels in order to allow for prioritization of data traffic. The lower the channel number, the higher the priority of the traffic. Channel zero is a reserved channel meant for management traffic. This channel is used to synchronize the protocol version running between the two ends of the conduit and to restart communications when either end of the conduit has been rebooted. Either end of the conduit can ask to have the conduit restarted. It is also possible to have a new version of the driver for the host passed from the card to the host in the case of driver upgrade. A restart of the conduit automatically occurs t o when an upgrade has been performed.[0053] Communications synchronization is transparent to the ACE 22, although it is possible for the ACE 22 to request resynchronization. Resynchronization can occur when the heartbeat expected from the driver is not received within a reasonable amount of time. In this case the driver is restarted on the host; i.e. a microreboot [Ref.t 5 13] is requested. In certain circumstances, the OS needs to be recycled.[0054] 1.3 The Host Service (34 of Figure 2) [0055] Referring to Figure 2, the Host Service 34 acts as a proxy for the ACE 22.The ACE 22 communicates with the Host Service 34 in order to poll for operational measurements, subscribe for events of interest and manage the service.20 [0056] Two protocols are supported for operational measurements and event subscription: Windows Management Instrumentation (WMI) and a proprietary protocol. WMI is Microsoft's interpretation of the Common Information Model (CIM) and is mature. A proprietary protocol is provided for situations in which a CIMmeasurement provider is not available or when legacy measurement providers already 25 exist; e.g. printer management for certain vendors using SNMP.[0057] The Host Service 34 also provides mechanisms for acting on behalf of the ACE 22; i.e. it provides the instantiation of effectors for the action requests made by the ACE 22. Effectors include stopping or starting a service or process and rebooting the operating system, for example.

[0058] Recovery oriented control is also provided for the Host Service 34. Aheartbeat is expected from the Host Service 34. If one is not received within a user-definable period of time, the service is automatically restarted. Should the service not restart, a decision is made by the ACE 22 whether to restart the operating system.s While watchdog timer cards can provide some of the functionality provided above, they suffer from a lack of end user programmability.[0059] The Host Service 34 is designed to be extensible and upgradeable. New host service components - dynamic link libraries (DLLs) - can be transferred across the management bus and register with the service. These libraries are installed in a well-1 o known location which is accessed when the service starts. When new or upgraded functionality is installed, the Host Service 34 is automatically recycled, which is an event that is detected by the ACE 22. This microrebootrequest [Ref. 13] ensures that we can upgrade monitoring functionality without interrupting services offered by the host. Upon detection, the ACE 22 automatically ensures that events of interest are 1 s subscribed to.[0060] The Host Service 26 occupies a small footprint on the host, typically requiring less than 2% of the processor for measurement operations.[0061] 1.4 ISAC Card (20 of Figure 2) [0062] The design of the ACE software, and the customizability of its behavior via 2o the development of scenarios and policies are described. It is noted that other components of the architecture play a significant role as well. For example, in the embodiment of the present invention the software resides on a proprietary piece of hardware, a PCI-X card that is installed inside the server to be managed. For example, the card has its own Intel PXA255 processor (similar to those found in a 2s personal digital assistant), which runs a version of Linux as its operating system, as well as a Java virtual machine that supports J2ME, a subset of Java designed to run on embedded devices. In the embodiment of the present invention the J9 Java virtual machine is used; however, the Sun embedded JVM has also been used. The card 20 also has several other features including its own memory (64 Meg), non-volatile 30 storage (32 Meg), and external interfaces for network and serial (e.g. USB) communications. Although it normally relies on the host's power supply, it has backup power to ensure that it can stay alive even when the host is shut off. For example, Figure 3 shows the rechargeable batteries carried on board.[0063] Using an independent control plane 21 has multiple benefits; the host system's s CPU is not preoccupied with self management, which would impede its performance and might negate many of the benefits that the autonomous controller can provide. Asmall portion of the host's resources may be required for the collection of data and its transmission to the card 20, however as much work as possible is delegated to the card 20. Specifically, the Monitor (6), Analyze (8), Plan (10) and Execute (12) functions t o of the autonomic manager (2) are performed by the card processor, not the host server processor. This configuration is also much more fault-tolerant, as the ACE 22 can remain active even in the case of a server crash, and can still attempt to take actions such as rebooting the server it resides in. As the card 20 is active during the POST of the server itself, it can take actions that are not possible in the case of a software-only 15 on-server solution.[0064] 2. Autonomic Controller Engine Design [0065] In order for autonomic systems to be effective, the adoption of open standards may be desired. There is little hope for the seamless integration of applications across large heterogeneous systems if each relies heavily on proprietary protocols and 2o platform-dependent technologies. Open standards provide the benefits of both extensibility and flexibility -- and they are likely based on the input of many knowledgeable designers. As such, the widely-used standards tend to come with all of the other benefits of a well thought-out design.[0066] Java is one of the languages for implementation of the ACE 22, for reasons 25 including its widespread industry use, platform independence, object model, strong security model and the multitude of open-source technologies and development tools available for the language. All development was undertaken in Eclipse, for example.-tt-[0067] The Common Information Model (CIM) is used within the system in order to obtain information on the managed objects available on the server. Further detail on the use of CIM is described below.[0068] Also, referring to Figure 2, the extensible markup language (XML) is used for communications with remote managers, such as the Management Console using HTTP as the transport protocol. Web-based Enterprise Management (WBEM) is used for card manageability, with WS-Management being considered for a future release.[0069] The Open Services Gateway Interface (OSGi) is used for service and management module deployment.[0070] A control plane separates management concerns for the server in the following ways.[0071 ] It provides an environment which is fail safe. If the control plane fails, the server is unaffected. Contrast this with a software agent approach, whereby an agent running on the server with a memory leak will cause resources on the server to become exhausted eventually, possibly making the server unresponsive. An unresponsive server represents a serious management challenge as remote control through an in-band interface may be impossible. A control plane allows for recovery at many different levels: application, process, service, operating system and various hardware levels. Through an understanding of the dependencies between hardware 2o and software components it provides the ability to reboot the minimum set required to reestablish nominal server operation.[0072] A control plane minimizes the resources required by the management solution on the host. Referring to Figure 1, in a control plane all processing of sensor information occurs within the autonomic manager and all management state resides there with critical state being stored in non-volatile memory. Contrast this with a software agent approach where multiple agents run on the host. Significant memory and CPU cycles are required in order to monitor state; state which is lost if the host needs to be rebooted. A control plane delivers data persistence for follow-on root cause analysis.

[0073] A control plane contains change management risks. The lifecycle of a host involves change, change to applications, services and the operating system. Having a control plane ensures that as upgrades occur, the host can be monitored and upgrades halted if abnormal or unexpected behavior is observed. Upgrading the software running on the control plane does not affect the host at all. Contrast this with the software agent management approach where unexpected behavior in the new version of an agent may make the host unmanageable or significantly degrade its performance.[0074] A control plane does not rely on the network interfaces provided by the host. It t o uses its own network interface for management communication. No management traffic is transferred over the host data channels, which implies that polling rates for management information have no impact on the bandwidth available for host application traffic.[0075] 2.1 Service-oriented framework 15 [0076] Since the engine's behavior depends entirely on a configurable list of services to initialize at runtime, as well as the set of modules to be run, a great deal of flexibility and extensibility is provided without the need for rebuilding the engine or writing very much, if any, code. While an application server would have been ideal for this purpose -- with web archives being the unit of deployment -- the resource 2o constraints of the card necessitated the creation of a thin application framework for management of the lifecycle of services. This is shown in Figure 4.[0077] The application framework 50 of Figure 4 ensures that services are restarted if they fail and maintains dependencies between them. The application framework 50 is also responsible for management of the application itself. The framework 50 runs on 25 top of the J9 JAM; the Java Native Interface (JNI) being used to interface with the various drivers (e.g. PCI communications driver) that are implemented in the Cprogramming language. Services can be plugged and unplugged dynamically; i.e. hot swapping is supported. Services are arranged in bundles, with bundle lifecycle management being the responsibility of the OSGi [Ref. 14] standard implemented by 3o the Services Management Framework (SMF) built by IBM. Other open source implementations of the OSGi specification are available (e.g. OSCAR); however, SMF may be preferable.[0078] The OSGi is an effort to standardize the way in which managed services can be delivered to networked devices. It is being developed through contributions by experts from many companies in a wide variety of fields (such as manufacturers of Bluetooth devices, smart appliances, and home energy/security systems). An open specification is provided for a service platform so that custom services can be developed (in Java), deployed, and managed remotely.[0079] The OSGi Service Platform framework specifies how applications should be bundled, the interfaces they must support, as well as a set of standard services that must be provided for use by applications. A security model, namespace scoping, and specifications for interactions between running services are some of the features also provided.[0080] Management Modules (26 of Figure 2) -the units of management knowledge t5 in the system - are OSGi bundles too. This use of OSGi ensures that one module cannot clash with another as bundles are managed in separate namespaces. Extensive security facilities are also provided by OSGi. Interested readers should consult the OSGi whitepaper [Ref.lS] for further information of OSGi architecture and services.[0081] Several services have been implemented for the ACE 22, which include: a 2o managed object manager service, host communications service and module management service.[0082] The managed object manager service is a thin version of a Common Information Model Object Manager (CIMOM) 52 as shown in Figure 5. A full CIMOM on card may be difficult owing to the resources that are required to sustain it.25 However, standard WBEM interfaces are provided in order to ensure easy integration with enterprise management systems. Specifically, CIIVI-XML is supported. The design of the simplified model is described below.[0083] The host communications service has been designed for the current form factor and communications bus. However, although the autonomic controller has originally been designed to be placed on a PCI-X card in a host machine, there is really only one service responsible for host communications. Another service adhering tothe same interface could be quickly written and deployed which would allow the controller software to run directly on the host, perhaps obtaining information using WMI (for a Windows host.) Alternatively it would be possible to implement the same interface as a simulator, providing support for testing and development even when hardware is unavailable.[0084] The module management service is responsible for loading, unloading and general lifecycle management of modules - the units of management expertise in the to system and the knowledge component (14) shown in Figure 1. The module management service is responsible for creation of the run time model, which is a hybrid of event propagation and rule processing.[0085] 2.2 Security [0086] The design of an autonomic element has to pay special attention to security.~ s The control plane approach to autonomic element design has particular advantages in this regard.[0087] Through use of a Linux distribution, a firewall is automatically provided.Authentication to the card is provided by a pluggable authentication module (PAM).In the embodiment of the present invention, a simple user-id~assword system is 2o provided. However, it may be integrated with with enterprise class LDARbased authentication mechanisms. As shown in Figure 2, all communicatrJns to and from the server is encrypted using SSL, with the card certificate being pre-installed on the ISAC 20. Further application level security is provided through OSGi, where bundles can be run in different class loaders and considerable control of inter~bundle 25 interaction is provided. Monitoring of management module activity is also provided by a built-in management module.[0088] Security of managed elements is of increasing concern in today's IT world.New viruses, worms and trojans are reported daily and writers of these pieces of software exploit flaws in the operating system or applications or rely upon social engineering to achieve their goals. Malicious software ("malware") writers have become increasingly sophisticated in their attacks on the operating system and hosted applications to the point where deployed anti-virus software can be either shut down or removed from the system entirely. This is possible as a result of the privilege levels associated with the entity (user) responsible for running the software. Having an independent control plane enforcing security policy makes it impossible that a piece of malware can circumvent security and enforcement becomes the responsibility of the control plane.[0089] A further advantage of the control plane is that the security model employed 1 o becomes independent of the model used within the operating system on the host. This independent security plane makes coherent security policy enforcement possible; that is, regardless of the operating system running on the host,the same privilege levels apply. Separating security responsibilities also implies that separation of administration roles takes place. Any attempt to compromise the security of the host 15 such as changing the privilege levels of a user applies only to the operating system;the control plane remains unaffected. With incidents of malicious intent by seemingly trusted IT insiders being commonplace, independent security enforcement as delivered by the control plane is critical.[0090] Yet another benefit of using a control plane versus traditional software agent-2o based approaches is that remotely managed systems do not require the puncturing of their site firewall(s) to allow for the transmittal of (often sensitive) data to a central management console for analysis. The control plane can provide fully autonomous, localized data analysis and policy enforcement; all without burdening the managed system and associated network compute resources. For situations where reporting to a 25 central management console is desired, the control plane can report up meaningful events of interest to the console and not a large volume of raw observations like traditional software agents.[0091 J In a secure system, audit information is collected and made available for review at some later time. In an audit log stored on the host, intrusive activity may 3o rewrite or delete important forensic information. When a control plane is present, logs may be written to non-volatile storage and cannot be accessed from the host directly.Furthermore, the timestamp on the logs need not be generated from the host clock, which itself may be affected by intrusive behavior.[0092] 2.3 Module Development s [0093] Environments for the creation of autonomic managers have been proposed [Ref. 16]. Sterritt, in [Ref. 17], describes the event correlation requirements for autonomic computing systems. In [Ref. 18], Figure 1b, the requirements of an autonomic manager are described in terms of the functions that they must perform. Of particular interest to this paper is the requirement for rules engines and simple (event) t o correlators. The design described here provides both of these elements.[0094] Event correlation [Ref. 19] has received significant attention in the research community over the last 15 years, with dependency graphs [Ref. 20] being a significant mechanism for root cause analysis determination. Event propagation systems have been constructed, with the Yemanja system [Ref. 21). The Yemanja 15 system promotes the idea of loose coupling rather than explicit graphs, which we find appealing as it reduces the need to maintain accurate dependency graphs. From [Ref.21]: "Yemanja is a model-based event correlation engine for mufti-layer fault diagnosis. It targets complex propagating fault scenarios, and can smoothly correlate low-level network events with high-level application performance alerts related to 2o quality of service violations."[0095] The key concepts built into the autonomic manager in accordance with the embodiment of the present invention are described below.[0096] 2.4 Module Components and Concepts [0097] The ACE 22 was designed to be extensible in many ways. One of the primary 2s requirements is the ability to define and implement customized behaviors based on user-defined management scenarios without rewriting or rebuilding the engine itself.Therefore, management scenarios compile to Java classes that become part of the running application once loaded.-t~-[0098) Referring to Figure 2, the management module (or module) 24 comprises the knowledge component 14 of the autonomic manager 2. In the embodiment of the present invention, a module is instantiated in a module archive, similar in structure and intent to a web archive used by application servers. A partial example is shown in Figure 6. The module archive is a directory structure of a standard format that contains classes and resources that encode a management scenario of interest. The module archive also contains dynamic link libraries that may be required in order to augment the low level instrumentation on the host and HTML documents that allow a user to interact with the run time version of the module for purposes of configuration.I o [0099] From an autonomic manager's perspective, the module 24 is comprised of a set of scenarios related on a conceptual level -- for example there might be a module defined to manage printers, another to audit host performance in order to establish normal levels of resource consumption, and a third to enforce hos~based security.[00100] A scenario encompasses data and host information to be monitored, as 15 well as the processing of this information: conditions, filters and thresholds to be satisfied, and actions to be taken, for instance events to be logged and alarms to be raised. The modules 24 are completely pluggable, meaning that they can be installed, updated or reconfigured at runtime, and require no modifications to the engine framework. Provisions have been made for the extension of the engine via the 2o development of custom low-level reusable components as well, thanks in large part to the use of well-defined interfaces for each component type.[00101] Figure 7 shows the principal concepts used in the ACE (22) and how they relate to one another. Figure 7 represents a simple scenario when observation tasks feed measurements or system events into an event provider, which, in turn, feed 2s them into a policy. It is noted that Figure 7 is simplified as event providers can feed multiple policies.[00102] When a module is loaded, 3 important processes occur. First, the definition of each policy 70 is loaded. Second, the definition of each event provider 72 is loaded. Referring to Figure 5, the repository 54 is consulted for this information.3o Referring to Figure 7, a linkage between event providers 72 and policies 70 is created.

Policy and event specifications are stored in properties files. An XML schema is designed.[00103] Example Policy Specification is as follows:policy.class=com.symbium.jeops.JeopsPolicy s kb.properties=os2k cpu mon~olicy_l.properties kb.class=com.symbium.jeops.CPUMonPolicyl name=os2k cpu mon-policy-1 description=normal CPU monitoring policy event.source.0=os2k_cpu mon~event 1 [00104] The important aspects of policy specification are the class to be loaded to represent the policy (policy.class), the actual implementation class for the reasoning used by the policy (kb.class) and event sources) of interest tothe policy (event.source.X, X=0,1,2, ...).[00105] Policies will likely be defined by system administrators, rather than t s programmers, and as such they should be specified at a level abstracted as much as possible from low-level systemlimplementation details. Policies are built using the MDE (42), which is a graphical development environment where a designer drags elements from a palette onto a canvas. The current prototypical environment is built as a series of plug-ins to Eclipse [Ref. 22].20 [00106] The ACE (22) currently supports two mechanisms for supporting policy definition. The first is via rule sets which are compiled into a knowledgebase and used by a forward-chaining inference engine (as shown in the above example policy specification), and the second is through a visual state-machine editor, which outputs a description of the policy that the engine can consume and build 25 dynamically. Rules and finite state machines were selected as two reasonable ways of expressing policy, though the system could easily be extended with other types of policies as well, because the framework is completely isolated from the implementation of the underlying mechanisms. Thus we are not restricted to using a rule-based forward-chaining inference engine or a finite state machine, and policies in the future could be developed around neural nets or other artificial-intelligence constructs, where such concepts are deemed to be beneficial and an adaptive system is required.[00107] If rules are used to specify the policy, then conditions and actions are evaluated and executed by a forward-chaining inference engine. Currently the ACE(22) uses an open-source inference engine called JEOPS [Ref. 23]. Alternatively, the execution of policies derived from state machines is handled by a proprietary dynamic 1o state machine. ABLE [Ref. 24] was considered for the Engine but was found to be too resource intensive for our embedded platform.[00108] A module developer will specify the actions of a policy using a set of high-level objects, known as effectors, which encapsulate the lov~level details required by the engine to perform common actions. Examples of effectors are:15 terminate a process, reboot the server, and remove a file from the file system. Policies can also be written in Java if desired, though it is expected that the MDE (42) will be used to facilitate scenario and policy-development with limited or no programming knowledge using the drag and drop visual programming paradigm referred to earlier.[00109] Referring to Figure 7, at the lowest level of a scenario, sensorsconvert 2o raw data 76 from the host (such as the value of a performance counter) into a (typically platform-independent) observation 78. The observation task 74 provides an important abstraction away from raw measurements made on the host system. As such, it intended to decouple sensing from reasoning. Ideally, the sensory interface would use only the CIM; however, this to be insufficient for certain types of scenario;25 e.g. printer queue management. For this reason, the sensor abstraction layer is present in the system. The layer also, in principle, allows for the use of the ACE (22) as an autonomic manager (2) in domains where the CIM has yet to be applied.[001 l OJ The observation object is used as input to the event processor where a dynamic and fully-customizable pipeline of atomic software objects called observation processors filters and manipulates this observation, ultimately determining the relevance of its contents.[00111] Figure 8 shows an example of pipelining. Pipelining or the filter design pattern of processing has long been used as a mechanism for combining simple programming elements, dynamically composed, in order to transform a data stream (e.g. UNIX script programming).[00112] Referred to Figure 7, the autonomic controller can use this pipeline to perform a wide variety of actions: for example a given observation processor may be configured to ignore a certain type of observation based on some configurable criteria, or store its contents for later use, or it may use one or more observations to generate an event 80. The event 80 is similar in structure to the observation 78, however, differs in that it implies that something of significance at a higher-level has occurred. The observation processing pipeline is constructed and managed by the event providers 72, which also handle the dispatching of events 80 to policies 70, or to other event providers, which can be chained together to allow further processing.[00113] Policies employ high-level system objects called effectors 82, which have well-defined behaviors and are designed to encapsulate the lower level details of taking common system actions. Effectors 82 are also configurable and lightweight, so it is simple to extend the engine's ability to perform system actions. The effector 82 2o hides the actual communication with the host and automatically generates an event 70 when completed which is fed back to the policy that invoked it. This ensures that a policy can track whether a state-changing action has succeeded or not.[00114] All components involved in observation and event creation, distribution, and evaluation are handled by the framework using only wel~defined interfaces in order to facilitate customization and extension. They have been defined with a visual development environment in mind, in which one could literally drag-and-drop the desired processing components from a palette, and connect them together, allowing the creation of scenarios of virtually any level of complexity. The palette is extensible and each processing component is highly configurable: really a component is then a template for a particular type of processing, and each instance can have specific configuration (such as, threshold values, observation filtering, etc.).[00115] 2.5 An Example Scenario [00116] To demonstrate the design of the autonomic controller, consider the following example. The example was identified by a domain expert as a realistic use-case and implemented for Windows 2000 and 2003 servers. As part of general resource-allocation planning, a system administrator needs to ensure that a server las sufficient processing power to handle its normal workload, with enough left over to allow for occasional peaks in usage. Windows keeps performance counters that can t o provide statistical data about the percentage of a CPU which is being used as well as the processor queue length, both of which can assist in evaluating how busy a particular processor is. These counters can be polled programmatically using either a proprietary interface to the API provided by Windows, or via the Windows Management Instrumentation infrastructure.15 [00117) Figure 8 provides an encoding of the scenario described above.Suppose that a high level, the administrator defines the following policy to ensure that a server has sufficient computing power for its load: if the CPU usage exceeck 85%for a sustained period of 30 minutes and simultaneously the processor queue length is always greater than 2 over the same period, then the processor is considered to be 2o unusually busy. It is noted that these statistics are polled, so the actual values may fluctuate and could drop below the specified thresholds.[00118] When a server seems to be experiencing this abnormally heavy load, the administrator would like the ISAC card (20) to take several actions, which can ultimately be used in the analysis of the cause. First, an alarm should be raised and 25 sent to remote management consoles) monitoring the card (20). An alarm indicates the time that an issue was detected, the type of problem that has been observed and its suspected severity-level, and possibly some other relevant information about the host system. In order to better understand the context for the high CPU usage, the administrator has specified that when this condition is detected, intensive monitoring 30 of several other statistics for a specified time would be useful. To do this, the ACE

(22) will initiate the monitoring of about a dozen additional counters, which will be polled every 10 seconds and averaged over a five minute window. This information is aggregated and sent to the administrator in an email message, and normal performance monitoring is resumed.[00119] To achieve this behavior, a module developer begins by specifying configuration parameters for two performance counter sensors, one for CPU usage (PCOT A in Figure 8 and the other for processor queue length, PCOT B in Figure 8).The parameters to be configured are the performance counter name and the polling frequency. Then the observation processing pipeline must be defined to filter and aggregate the observations to determine whether the triggering conditions have been met. This processing is performed by small objects with very specific roles. First, the observation from each sensor is passed to a separate instance of a type of observation processor called a tripwire monitor (Tripwire A and B in Figure 8). These processors are each configured with a threshold value (e.g. 85% for the processing of the CPU~ 5 usage counter observation), and each generates an observation that indicates whether the threshold has been crossed or not. To s~isfy the requirement that the threshold is exceeded for a sustained time period, the next processor evaluating each observation keeps track of how many times in a row the threshold has been crossed, and only passes along an observation once enough occurrences have been counted (Counter A2o and B in Figure 8). At this point the pipeline can determine that the requirements have individually been met to identify high CPU usage, but another piece is required to make sure that these happen concurrently. To aggregate observations, an observation processor implementing a dynamic finite state machine was built (FSM in Figure 8). The states and transitions are entirely configurable so that it can meet the 25 requirements of a wide variety of applications. In one embodiment, it has four states:the initial state, a state for counter A, a state for counter B, and a state for both. Timeouts have also been implemented so that the FSM can change states automatically after a certain amount of elapsed time. When the FSM d~ermines that both counters are true, it generates an event to inform the policy that high CPU usage 3o has been detected. At this point, the policy raises an alarm and causes another event provider to start, which controls the sensors for the additional pa-formance counters and uses its observation processing pipeline to average their values. These values are sent to an administrator's a-mail account via an effector that hides the details of SMTP. The aggregation mechanism is shown in Figure 9.[00120] Referring to Figure 9, when the "High CPU Monitoring" policy is started, the various observation tasks for the performance counters of interest (PCOTX, X = A, B, . .. N) are automatically started. For each observation made, the measurement is passed through an averaging window observation processor (Averaging Window Y, Y = A, B, ... N). When sufficient samples of the performance counters have been collected, a rule fires in the CPU Monitoring Policy 2 rule base that does 2 things: creates a report to send to an administrator and switches off the 1 o monitoring policy. Switching the policy off automatically stops the polling by the various performance counter observation tasks.[00121] Numerous other management scenarios have been captured that involve access to other information sources; e.g. the Windows registry. The management of run-away processes has been provided; processes with memory leaks are automatically terminated and restarted (an example of a microreboot). Automated printer queue management has been encoded by polling printer queues to see if jobs hang, hanging being determined by a non-zero number of jobs but not bytes processed in a specific interval. In the case of Microsoft Exchange, policies have been constructed that ensures all serviceslprocesses are kept up, restarting in the correct order when needed; e.g. routing engine service. Finally, a security module has been encoded that allow a user to specify the set of processes that can run; all other processed being automatically terminated without user intervention.[00122] 2.6 ISAC Group Management [00123] While autonomic elements may well change the way in which devices are managed, there still remains a need to integrate them with legacy enterprise management systems. Figure 10 shows how group management is achieved. The management console 40 is the point of integration where alarms and events from a group of ISACs (20) are consolidated. It is also the point through which primary integration with enterprise management systems (e.g. HP OpenView) takes place. The 3o management console 40 is also capable of discovering ISACs, although ISAC

discovery of a management console is also possible for deployment scenarios where ISACs reside behind a corporate firewall and group management is undertaken from outside the firewall.[00124] 3. Future work [00125] The design of an autonomic element for the server domain has been described. We have shown how the architecture and design of the ISAC and ACE map onto the autonomic manager.[00126] Figure 11 (due to J. Kephart of IBM) graphically demonstrates the direction that the work should follow; namely, networks of autonomic elements that to self organize to achieve highly available business processes. It is our view that business process management will only be possible with autonomic elements. In the future, we will examine autonomic control in distributed systems, where groups of autonomic controllers coordinate with each other to provide large systems with the same capabilities that an individual card currently provides a single host. It is expected that a single autonomic manager will then take on the responsibility of reporting the well-being of the business process supported by the autonomic element network, thereby further reducing the alarm stream reported to legacy enterprise management systems.[00127] Several areas have been identified for future development of the ACE2o and the ISAC platform as a whole. A considerable amount of work must be done to fully develop the specified module development environment, which will facilitate the rapid definition of new scenarios, custom behaviors and components. The use of the Eclipse Model Framework (EMF) and the Graphical Editor Framework (GEF) will prove crucial here. The prototypical MDE, once fully developed, will facilitate third party development as well, allowing others to provide modules that run on the ISACplatform.[00128] The security model must be further refined, in particular for network communications. Since the controller is capable of doing so much on the host system, we must ensure that external access to the engine is strictly limited to avoid compromising the host.[00129] Performance enhancements and fine-tuning of the framework may be necessary to efficiently support large numbers of scenarios requiring simultaneous processing. The next generation of the hardware platform should also increase performance.[00130] Rules may not be sufficient to express all desired policies. As such, non rule-based policies (e.g. neural nets, etc.) may be implemented to extend the engine's abilities. It is intended that modules be created that can determinethe normal t o resource consumption levels for the server and set thresholds accordingly once a "burn in" period has elapsed.[00131] Many of the future extensions to the autonomic controller can hopefully occur without the need for reconstruction of the framework, such as the non rule-based policies and coordinated control.~ 5 [00132] The design of an autonomic system for server management has been described, which achieves separation of security responsibility (server administrators do not necessarily have access to ISAC management modules) and separation of availability considerations (the ACE cannot cause outage of the server).[00133] This autonomic system is operational and manages servers in 2o production environments within corporate settings. One set of users in a large financial institution has reported a 25% reduction in downtime on their email servers.Another set of users in an international managed service provider has been able to reduce recurring incident downtime from hours to minutes, while tripling the number of servers each administrator can effectively manage. The real value of the solution 25 will be determined largely by large user feedback, both in terms of performance and the facility of extending the framework with custom high-level scenarios. The development of the ACE so far has been restricted mainly to the infrastructure and the implementation of selected policies which serve to demonstrate its potential.

[00134] The further detail of the architecture can be found on Appendix attached herewith. Especially, the detail of the Module Development Environment and the Management Console are disclosed in the Appendix.[00135] The embodiments of the present invention have the following features:s ~ Programming of an autonomic element.~ Dynamic upgrade of the management software; specifically for: sensing, effecting and reasoning about the state of the managed element.~ Lifecycle maintenance of management software on the managed element and autonomic manager.~ Service on host is not interrupted when upgrades to autonomic manager occur.~ Provides simulation environment for debugging and testing of new or modified management software.~ Distribution of software for autonomic management to a group of autonomic managers.~ s ~ Self management of the autonomic manager; i.e. autonomic manager can diagnose faults in its own operation and act to recover from then.[00136] The embodiments of the present invention have the following advantages:~ Improved system management through effective delegation.~ Results in reduced cost of ownership of system.~ Higher system availability. Facilitates reuse of management knowledge by well-defined abstractions; e.g.excessive disk utilization problems can be characterized regardless of operating system and hardware.

i , , ~ System management best practices can be captured and reused.~ Ability to dynamically react to changes in the applications deployed on a system; e.g. if a new application is deployed the system can automatically acquire and configure management functionality for it.~ Provides a platform for coherent management of heterogeneous platforms; e.g. Windows and Linux operating systems.[00137] Further detail can be found in the Appendices 1- 19 which form an integral part of the Detailed Description section of this patent application.[00138] In addition, all citations listed on pages 31 and 32 are hereby incorporated by reference.[00139] While particular embodiments of the present invention have been shown and described, changes and modifications may be made to such embodiments without departing from the scope of the invention.

Claims (9)

1. A system for programming an autonomic element, comprising.a module development environment (MDE) module for creating and editing a management module, the autonomic element including an intelligent secure autonomic controller (ISAC) learning a behavior through the management module;and a management distribution environment (MDE) module for distributing the management module to the ISAC.

2. A system according to claim 1, wherein the management distribution environment is in a management console.

3. A system according to claim 1, wherein the MDE module is for distributing one or more management modules to a group of ISACs.

4. A system according to claim 1, wherein the programming system is embedded in a single board computer.

5. A system for distribution of software updates for an autonomic manager, comprising;

a module development environment (MDE) for creating one or more module archives for distribution, and a management console for customizing the module archives and sending the module archives to a group of intelligent secure autonomic controllers (ISACs), the ISAC including an autonomic controller engine (ACE), the ACE receiving and unbundling the module archives.

6. A system for configuration of an autonomic manager based upon managed element configuration, comprising:

a management console for customizing module archives and sending the module archives to an intelligent secure autonomic controller (ISAC), wherein self configuring elements are included as part of each module archive, the ISAC including an autonomic controller engine (ACE), wherein software elements associated with the module archive run automatically when the module archive is unbundled and loaded into a running ACE.

7. A method of implementing the system of claim 1.

8. A method of implementing the system of claim 5.

9. A method of implementing the system of claim 6.

CA 25043332005-04-152005-04-15Programming and development infrastructure for an autonomic element
AbandonedCA2504333A1
(en)